1. Field of the Invention
The invention relates to a transmitting apparatus, a transmitting method, a receiving apparatus, a receiving method, a transmitting and receiving system, and a transmitting and receiving method, in which in a system which has a layer structure and unidirectionally distributes data arranged on a network so as to be distributed thereon, a copy of a distributed public key directory entry is updated.
2. Description of the Related Arts
Various methods have been proposed as a data distributing method. For example, on the present Internet, a protocol using a TCP/IP (Transmission Control Protocol/Internet Protocol) such as an http (Hyper Text Transfer Protocol) as a basic protocol is used. In the TCP/IP, a call is generated from the reception side which receives data distribution to the transmission side of the data and, further, each time the data is transmitted and received, a connection is established between the transmission side and the reception side. Therefore, the data distribution at a high reliability can be performed.
On the other hand, there is a case where a load on the transmission side or the network increases and it is difficult to perform the efficient data distribution. That is, if the number of terminals which receive the presentation of data increases and accesses to a server which provides the data are concentrated, the server or network bears a large load and even if the terminal requests the data, it takes a long time until the data is obtained.
To solve such a problem, for example, there has been proposed a method of performing data distribution by using a satellite line or a CATV (Cable Television) line which can perform a simultaneous multi-address (multiple address) in a wide area, ground wave digital broadcast which will be put into practical use in the future, or the like. In this case, the load on the server or network is not influenced by an increase in number of terminals.
In recent years, owing to the development of a digital communication network such as Internet or the like, a large amount of data is accumulated onto the network and it is demanded to efficiently use such a large amount of data. For this purpose, attention is paid to a directory service for layer-managing data existing on the network so as to be distributed thereon and providing it to the users. By using the directory service, the user can rapidly find his own necessary information from information distributed and existing on the network and access it.
The directory service has been specified, for example, as X.500 series by the OSI (Open Systems Interconnection) or the like as an international standard. According to X.500, it has been defined with respect to the directory in a manner such that it is a set of open systems and each open system cooperatively has a logical database of information regarding a set of objects in the actual world.
According to the directory service by X.500, the information which the directory has can be searched or viewed. For example, a list represented by a phone book, authentication of the user, or the like is also provided by the directory service. Further, in the directory service, an object is named so that it can be easily learned by heart, presumed, and recognized, particularly, by the user as a human being.
The directory service by X.500 is extremely comprehensive, a program size is very large, and it is very difficult to realize such a service in the Internet in which the TCP/IP is used as a protocol. Therefore, a directory service like LDAP (Lightweight Directory Access Protocol) which is light weighted for the TCP/IP has been proposed.
In the case where the user uses the directory service, he can perform a filtering process for the directory. A filtering mask for performing the filtering process is set in accordance with a tendency of an access to the directory or with a favor of the user. For example, the filtering mask is set to a specific information genre in accordance with a favor of the user. The user can selectively access the directory information in which the filtering mask has been set. By executing the filtering process, the user does not need to keep unnecessary information.
In recent years, an example in which the directory service is performed in data transmitting means for performing the foregoing simultaneous multi-address, that is, the satellite line, CATV line, ground wave digital broadcast, or the like has been proposed. In this case, information by the directory service is unidirectionally provided and the information cannot be requested from the user side. Therefore, as directory information by the directory service, the same information is repetitively transmitted.
On the user side, the transmitted information is stored into, for example, an IRD (Integrated Receiver Decoder) or an STB (Set Top Box) as a receiver for digital broadcast which is used by being connected to a television receiver or the like. At this time, the filtering process is performed by using the foregoing filtering mask and the directory information according to a favor of the user is selectively stored. The filtering mask which is used for the filtering process is set on the user side.
The Internet as an open network always has a risk such as wiretapping of information, manipulation, or pretension. There is an authentication system to prevent such a risk. An environment serving as an infrastructure to operate the authentication system is called a PKI (Public Key Infrastructure). Attention is paid to the PKI as an infrastructure environment for operating encryption communication, E-mail, various settlement protocols, or the like on the Internet. It is considered that a success or failure in future EC (Electronic Commerce) on the Internet depends on the reliability of such an environment.
A public key encryption system which is used in the PKI is an asymmetrical encryption system in which two keys of a secret key and a public key are used and encoding and decoding are performed by these two different keys. A public key is formed from a secret key which the user himself holds and the public key can be handed to a partner. Data encrypted by the public key can be decoded only by the secret key corresponding thereto and data encrypted by the secret key can be decoded only by the public key corresponding thereto. A digital signature can be given by using such characteristics.
If only the public key is used, the foregoing “pretension” is possible. Therefore, by issuing a public key certificate (digital certificate) from a CA (Certificate Authority), a management of the public key and its authentication are performed. The public key certificate is issued, for example, by the following manner. The subscriber forms a pair of secret key and public key by a predetermined method and submits the public key to the CA. The CA confirms a status or the like of the subscriber, thereafter, gives a signature of the CA to information such as serial number of the certificate, name of the subscriber, public key, term of validity, and the like, and issues the public key certificate to which the CA previously gave a digital signature by using the open public key.
A construction of the public key certificate will now be described with reference to FIGS. 28A and 28B. FIG. 28A schematically shows a procedure of forming the public key certificate. The public key certificate comprises: information such as serial number, issuer (Certificate Authority) name, term of validity, name of holder, and the like (this information is referred to as certificate information here); a public key of the holder; and a signature by the CA in which a “finger print” obtained by converting the certificate information by a digest function has been encrypted by a secret key of the CA. The digest function is a function having features such that a long document is converted into a document of a predetermined short length and, even if the original information changes slightly, a conversion result largely differs. Therefore, a value obtained by the digest function is referred to a “finger print” of the original document.
FIG. 28B schematically shows a procedure for confirming the public key certificate formed as mentioned above. The “finger print” is obtained from the certificate information included in the public key certificate by the digest function. In the public key certificate, the signature annexed to the certificate information is decoded by the public key of the CA. A result of the decoding is compared with the “finger print”. If they coincide, it is possible to determine that the public key certificate is a legal certificate which is not manipulated.
At present, it is promoted to fully equip a system such that the foregoing public key certificate which is positioned as an important function of the PKI is distributed and managed to the users distributed in a wide range. Hitherto, however, there is a problem such that a majority of users distributed in a wide range are effectively notified of the lapsed public key certificate is not established.
For example, in the case where the certificate was stolen, a person retired and lost the qualification of using the certificate, or the like, there is a situation such that the server side wants to invalidate the public key certificate without waiting for the term of validity which has been predetermined in the public key certificate.
In such a case, the serial number of the invalidated (lapsed) certificate, the date of lapse, and the like are registered into a system for distributing and managing the public key certificate, and at the time of an authentication procedure, an application which uses the public key certificate has to be made to confirm every time whether the target public key certificate is not lapsed or not. As a system for providing lapse information of the public key certificate, and further performing the distribution, management, and lapse collation of the public key certificate itself, an online lapse information collation service (PKI directory service) is considered.
In the PKI directory service, if the number of clients (applications which collate the lapsed information of the certificate) becomes a majority, there is a fear that the system is broken due to an increase in load of query. Therefore, a method whereby copies of the original PKI directory server are formed in a plurality of distributed PKI directory servers and the load of query is distributed is used. However, in case of forming the copy, although the necessity of updating and managing them to the latest information is caused, there is a problem such that if the number of copies becomes very large, it is difficult to update and manage them.